User:Chintan.doshi

Electronic Records and Trust Frameworks

Abstract
With the onset of the digital age most of the records are still retained on paper but as the electronic record system flourishes it also gives rise to certain issues pertaining to it. The aim of this chapter is to provide suggestions to establish trust in the electronic record framework. This chapter deals with basic functionalities of an electronic record management system like accessing the data, retrieving the data and retention policies. The lifecycle of electronic records such as identifying, capturing and storage of electronic records has been described. The chapter also touches upon the options of implementing open source systems to manage electronic records within an organization or state agency. It also helps in understanding various record management systems available in the market and making a proper choice for their implementation in an organization.

Introduction
Electronic record management is an essential issue which needs to be addressed in every company implementing information systems. In recent years the federal agencies have embraced the idea of electronic records over the traditional paper records. Due to the need for archiving the data the paper based records face the problem of becoming increasingly difficult to manage. As this occurs, legal requirements and management efforts designed for paper records become progressively less satisfactory to ensure an adequate legal and historical record of organizations or state agencies decision making.

Content, Structure and Context with regard to electronic records
Electronic Records warrant special regard with respect to their management due to the following characteristics associated with them: An electronic record can be considered to be complete only if all the above mentioned characteristics are maintained. From a legal standpoint, an electronic record is not admissible as evidence if it cannot be reconstructed in its entirety, with all of its characteristics consolidated in a meaningful manner. For an electronic record management framework to be effective it should emphasize on maintaining all of the attributes of a record, namely the content, context, medium and structure. Metadata for electronic records needs to be maintained to provide the business, technical and contextual information and to establish an audit trail. The creation of metadata should be an integral component of the record keeping system.
 * 1) 	Content: The part of the record that conveys the actual message which may be text, video or sound.
 * 2) 	Context: The information that helps in understanding the origins of the record and the business, technological, procedural or legal framework that the record is a part of.
 * 3) 	Medium: The physical carrier that stores/transfers the content of the record.
 * 4) 	Structure: The arrangement of the content within the record i.e. formatting etc.

Ensuring Legal Admissibility
In order to meet the requirements of legal admissibility, electronic records need to be authentic and reliable. For a record to be authentic, it needs to be what it claims to be. An authentic record ‘does not result from any manipulation, substitution, or falsification occurring after the completion of its procedure of creation, and it is therefore what it purports to be’. ‘A record is considered to be reliable when it can be treated as a fact in itself’ (Duranti, 1994). For a record to be reliable its creation needs to be procedurally controlled. In the case of business records, there is an increasing shift towards implementing controls in the record keeping process to ensure the reliability and authenticity of electronic records. From a legal standpoint, if the record keeping process is designed and implemented with adequate controls and if this is verifiable through the presence of an audit trail, the records are generally admissible in court.

Electronic Storage Reliability
The Uniform Photographic Copies of Business and Public Records as Evidence Act (there are both federal and state versions) states that a reproduction made by any "process which accurately reproduces or forms a durable medium for reproducing the original is as admissible in evidence as the original itself. With the advent of electronic records paper records are still considerably significant in many organizations. Therefore mixed data storage is utilized in various companies. For example, many companies store scanned documents and electronic/hard copy faxes in addition to completely electronic exchange storage, such as email. This act is important because it bridges electronic and hard storage. It also helps to define what is considered "an original" document. For a reproduction of an electronic record to be as acceptable as the original, the medium used for the storage of records must be reliable and must support the reproduction of an accurate facsimile of the original record. The United States Securities and Exchange Commission (SEC) regulation mandates that "the electronic storage media must: preserve the records exclusively in a non-rewriteable, non-erasable format." This regulation also stipulates that "if employing any electronic storage media other than Optical Disk technology, the member, broker, or dealer must notify its designated examining authority at least 90 days prior to employing such storage media. (Charla,G-B)

Recordkeeping Systems
Record keeping systems are manual or automated systems in which records are collected, organized, and categorized to facilitate their preservation, retrieval, use, and disposition must be established that will:
 * 1) 	Organize records;
 * 2) 	Index records; and
 * 3) 	Allow appropriate staff access to all records. (Budget, 1998)

Electronic Recordkeeping System
An electronic system in which records are collected, organized, and categorized to facilitate their preservation, retrieval, use, and disposition may be either A distinct electronic recordkeeping system may comprise of an application program which provides recordkeeping functionality, data and metadata needed for management of the records controlled by the system, and any electronic records managed by the system. An electronic recordkeeping system may be part of another system, such as an application system or an electronic document management system, when the design of that system includes recordkeeping functionality (South Carolina Department of Archives & History, 2005) Characteristics of Recordkeeping Systems A recordkeeping system must be designed to manage and retrieve information admissible for legal actions and available as evidence for audits and other legal scenarios where the record may be presented as evidence. This is accomplished through the development of policies that promote the creation and maintenance of trustworthy systems to produce authentic and reliable records.
 * 1) 	A distinct system designed specifically to provide recordkeeping functionality or
 * 2) 	Part of another system. (Agency Recordkeeping Requirements, 2004)

Creating Electronic Record Systems
Electronic recordkeeping systems must have accurately documented policies, assigned responsibilities, and formal methodologies for their management. At the same time the organization needs to ensure that the system itself is safe guarded from external and internal sources in such a way that those with proper access alone should be able to access the system only when it’s required. Electronic recordkeeping systems must meet the following criteria:
 * 1) Consistent: recordkeeping systems must process information in a manner that assures that the records they create are credible.
 * 2) Complete: contain content, structure, and context generated by the transaction they document.
 * 3) Accurate: quality controlled at input to ensure the information in the system correctly reflects what was communicated in the transaction.
 * 4) Preserved: records must continue to reflect content, structure, and context within any system by which the records are retained over time. (South Carolina Department of Archives & History, 2005)

For electronic records systems that produce, use, or store data files, disposition instructions for the data should be incorporated into the system's design. All organizations should maintain adequate technical documentation for each electronic records system, including documentation of system design, implementation, use, and migration.

Identifying Electronic Records
Organizations have traditionally used records surveys and inventories to identify which records they maintain and to decide what to do with those records. In an electronic context, surveys of physical storage media (e.g. tape libraries or workstation hard drives) do not provide much useful information for determining which records exist or for deciding what to do with them. In order to enhance performance and convenience, most information systems make use of redundant data, through such practices as caching, disk duplexing, mirroring, clustering, client-side processing, desktop information management, disaster recovery measures, and routine system backups. Instead of attempting to inventory all of this data that exists at any one time, electronic records management requires the identification of organization functions, processes, transactions and activities to be documented. Once these have been identified, it will be possible to determine which data and associated metadata must be retained to serve as an official record.

Capturing Electronic Records
Strategies for capturing electronic records will differ, depending on the opportunities presented by an organization's hardware and software environment. Locations at which records can be captured include software layers (especially suited to open systems environments) and at every interface between hardware components through which the relevant data passes. The technological environment will influence the decisions as to whether records are captured through: Also there are various other factors that influence when and how these records are captured such as the organizational environment will also influence the point at which records are captured. This will include perceptions about what constitutes a record, assignment of responsibility, agency requirements to create records, and staff understanding of the technology involved. Regardless of the approach an organization takes, it must be able to identify specific information objects as records and somehow distinguish between the types of records to which different business and retention requirements must be applied. Possible approaches include:
 * 1) 	The user interface layer,
 * 2) 	Modification of the application software,
 * 3) 	The operating system,
 * 4) 	The application program interface (API), or
 * 5) 	The front end to a corporate filing system.( Kansas Electronic Records Management Guidelines)
 * 1) 	Business transaction information is identified in an "envelope" or file header, so the file does not need to be opened to be identified.
 * 2) 	The record creator is responsible for capturing his or her own records and assigning management practices to them at the point of creation. This could be implemented as a screen the user fills in before documents can be saved or messages can be sent.
 * 3) 	A user interface is designed so that users can choose between a number of icons representing business tasks or style templates, e.g., "send policy" or "make appointments." The choice of icon can engage the appropriate application, distribution lists, and style sheets and records disposal authorities. The sender thus affects scheduling but need not make conscious decisions about assigning retention periods to records.

Access to Electronic Records
Access to any given electronic record is governed by the Open Records Act of 1983. The record essentially allows public access to records regardless of their physical format or location. The access to the documents however needs to be governed. Now, more than ever, the responsibility for reference and access is a shared responsibility between the Archives and government or any kind of agencies. State archives are the higher bodies which deal with the electronic record keeping. Government agencies are required to retain electronic records to meet minimal legal retention requirements imposed by statute, or business or administrative needs. Electronic records which are to be preserved for a longer period of time need to be preserved in a form which is accessible to all the users who have access to it. It should also be in a usable form by the state agencies or any particular private agency. Any electronic cannot be arbitrarily destroyed from the archive it needs to be legally destroyed following the records disposition act issued by the state archive or the governing body. (Aveni,Kowlowitz, and Mashburn, 2001)

At a broader level, the State Archives' role will be to: Safeguarding access: The electronic records are distributed and replicated over various systems. Public access is not given to the live system but rather to a mirror site or parallel system. Any sensitive or classified records should be appropriately encrypted to prevent unauthorized access. Standard authentication like a username and password need to be followed in any case. Users are to be given access rights and only users with the appropriate rights are allowed to make changes to the electronic record.
 * 1) 	Advise organizations on matters related to access to records with enduring value,
 * 2) 	Set standards for their preservation and accessibility, and
 * 3) 	Work with agencies to identify the access status of classes of records during system design, major modification or appraisal. (Kansas Electronic Records Management Guidelines)

Retrieval of electronic records
Using of electronic records brings in more challenges like maintenance of existing system, migrating to a new system and/or system redesign. There are chances that during the implementation of the new system certain data or documents may be lost or accidently deleted. Retrieval of such documents is very important. All information in the current system must be migrated to the new system. The conversion must ensure that the converted records are authentic, reliable, and usable and have integrity. A new system can be developed which allows multiple user access to the system and makes a log of every transaction or changes made to a record. It will assure continued access to current records while permitting the future migration to new hardware and software. It will allow rapid retrieval of information while providing frequent backups and disaster recovery.

Establish standards for file formats: A policy should be in place which associates an approved data file format for every record. Even after using particular software for data retrieval and display it is subject to change either by updating it to the new version or migrating to a new system from an old one. To avoid any glitch in the data retrieval process a policy of approved media formats for records storage will facilitate data migration to ensure long-term retrieval of electronic records.

Record Retention Policies and Procedures
Record retention refers to the amount of time the record is to be kept and managed before it can be destroyed. This length of time is determined by assessing the value and the authenticity of the record from a legal and business standpoint. Having a retention policy in place is necessary due to the unusually large amounts of data we are inundated with, in the present age. Hence the record keeping agency needs to identify records that are of enduring value and ensure that they are maintained on the record keeping system for a defined period of time. According to the Interpares project (Terry Eastwood) if it is determined that an electronic records does not convey the meaning that it did at the time of its creation, the appraiser can decide that the record need not be preserved. Another determining factor that can affect record retention policies is the feasibility of preservation of the record. This depends on the record keeping agency’s hardware and software capabilities along with the financial and storage constraints. An example that illustrates the importance of a well-defined record retention policy is the deletion of an official e-mail by former Assistant Secretary – Indian Affairs, Neal McCaleb due to the allocation of too little hard disk space. (Wright, 2009)

Written Procedures/Training
Since computer systems are used to create and store records, organizations should write procedures to control the use, access, and productivity on the personal computer. All employees with access to these systems should receive guidance on the following issues: 3	How to mark or classify documents for filing or incorporation into an electronic system with recordkeeping capabilities, when appropriate; and
 * 1) 	How to distinguish official records from non record material;
 * 2) 	How to know when receipts or acknowledgments for e-mail messages are needed for recordkeeping purposes;
 * 3) 	How and when to generate a recordkeeping copy of e-mail messages, receipts or acknowledgments, spreadsheets, word processing documents, and data base reports;
 * 1) 	How to contact the record coordinator in their agency or the records analyst from ISD Records Management for assistance. (South Carolina Department of Archives & History, 2005)

Managing Legacy Records
One of the inherent issues with electronic records is their dependency on the underlying technology that is used to create/store/modify the records. This dependency proves to be a deterrent in the maintenance, access and retrieval of records that are stored on legacy systems. As the information system becomes redundant, so do all the records that are stored on them. As the (Dollar, 2005) mentions, media renewal is one way of dealing with issues of continued readability and accessibility of records stored on legacy systems. It involves copying data over to new storage media while maintaining the processibility and the essential characteristics of the records. One of the approaches for dealing with legacy records is software emulation that involves using present-day software to replicate the functionality of another information system (a legacy information system in this scenario) with the intent to enable access to legacy records. Data migration is another solution where the emphasis is on converting legacy records to technology neutral files formats to do-away with the dependency on the underlying technological platform. However this process needs to be carried out with a stringent quality control mechanism to ensure that the data is transferred without introducing errors and losing the defining characteristics of the original record.

The Importance of Open Standards for Electronic Records Management
Open source systems can be embraced by every agency enabling record management. Data interchange, interoperability, migration of system etc all depend on the open source standards. The motive being that the electronic record or data should not be dependant or attached to one particular software or hardware of a proprietary vendor. Any kind of file formats, protocols and various system specifications which are adopted by the state agencies should be recognized by various standard international or national bodies. Since the standards which fulfill the requirements are publically documented and accepted by standard governing bodies and multiple vendors, the agencies will be less likely stuck with records which are valuable but inaccessible. Hence the companies will tend to switch over to open system over closed system to enable standardized methodology for data management. Open sources are cheap alternatives to commercial systems which enable electronic record management. Various companies and government organization are willing to switch on to open source standards. The only problem here is that open sources standards are not very well developed in the industry as of yet. Open source is great but it should be done on a pragmatic basis.

Inter-Agency Transfer of Records
When electronic records are transferred from one agency to the other, apart from the content it is necessary to transfer contextual information along with the metadata related to the record. There must be a well defined protocol for the interagency transfer of records. The National Archives and Records Administration (NARA) in its code of regulations lists that in addition to the record, agencies must transfer documentation that aids in the interpretation of the content. Any agengy transferring records to the U.S. National archives is mandated to complete a Technical Description form (NARA form 14097) and an Information System Description Form (NARA Form 14028). In the case of databases record layouts, data element definitions and code translation tables for coded data values are required to be submitted. (NARA Code of Federal Regulations, 2009)

Digital signatures
We can use digital signatures to identify whom an electronic record stored in PDF format came from and how a signed document has been modified before it was transferred or stored in the system. Digital signatures can provide electronic records the same, or better, assurances that many paper-based processes have in the past. There are many types of electronic signatures. We can write our name on an electronic signature pad, or it can simply be a record of a user clicking an ‘I Agree’ button on a web page. However, electronic signatures don’t necessarily mean that the documents are genuine or have not been tampered with before they are stored or accessed. Thus a better way is to also provide digital signatures. A digital signature is a specific type of electronic signature that includes technology to establish the authenticity of the signed content. Software should use digital signatures that are based on public key infrastructure (PKI) technologies to establish authenticity in PDF documents if these documents are being transferred between groups or departments. PKI systems use certificates and keys to identify individuals or organizations. (Adobe systems INC., 2007) The owner uses a key to “sign” the document, and the recipient uses a key to verify the signature and the authenticity of the signed document. Supporting technologies help establish other non repudiation features like the time of signing and the status of the signing keys. Signature appearances help human verifiers understand the nature of a signature. The signing party usually determines the appearance of a digital signature in a PDF document. The signature image can be a simple text box, a corporate or organizational logo, a photo, or even an image or capture of a handwritten signature, depending on the nature of the record and the context of the signature.

Records Management Software
Records management software systems help businesses and government agencies manage a variety of activities and functions, from file requesting and tracking to retention and disposition to access and security. Records management focuses on preserving the integrity of records throughout their lifecycle. Records management systems are designed to maintain a record’s integrity and to track the chain of custody and manage retention and destruction. Furthermore, in a records management software solution, records in any form (electronic or physical) can be managed in a single collaborative system. To select proper management software we need to make an inventory of the records. The inventory should include the location of the data, the condition of the data, the access rules etc. We then need to determine what kind of software we need after completion of the inventory. We need to investigate the functionality of software. Functionality essentially includes help features, menus and commands, speed and accuracy and access security classification. After determining the requirements choosing the software is relatively an easy job. There are many off-shelf software available in the market. Another option is to get a software custom-made to the user requirements. The decision is basically in the hands of the organization to select which is the most efficient and cost effective software. (Moreland, 2002)

Conclusion
Building controls into the record keeping system can go a long way in establishing trust in the electronic records stored on the system. Record keeping systems need to be designed in a manner that increases transparency and accountability. There must be stringent procedures, guidelines and control mechanisms established for every stage of the electronic record life-cycle. Effective record management procedures must be seamlessly integrated into the business processes of an organization or state agency. Without the development of modern recordkeeping policies, procedures, and practices for both manual and electronic formats, there is a danger that many of the gains that had been made in recent years would be at risk in the future. Organizations and state agencies need to ensure that the records of day-to-day business are authentic, accurate, reliable and complete from a legal standpoint, while citizens needed to be certain that records would be properly managed to ensure accountability and transparency of organizations and state agencies, to protect their rights and entitlements.